1. Field of the Invention
Embodiments of the present invention generally relate to computer security systems and, more particularly, to a method and apparatus for detecting malicious software activity based on an Internet resource information database.
2. Description of the Related Art
Widespread Internet usage by most organizations results in an increase in computer system attacks. Various malicious software programs (e.g., viruses, Trojan horses, worms and/or the like) cause many of these computer system attacks. These malicious software programs may be transmitted (i.e. downloaded) to a vulnerable computer without user consent and/or knowledge as executable programs, email attachments, malicious HTML code on web pages and/or the like.
The malicious software programs may exert control over an operating system and modify various files (e.g., system registry entries) in order to disrupt operation of a computer system. The malicious software programs may also exploit the computer system for illegitimate purposes (e.g., misappropriate sensitive data, such as intellectual property, customer data, medical histories, financial records, purchase orders, legal documents, privileged and/or confidential information, social security numbers, addresses, pictures, documents, contacts, and/or the like). For example, hackers may design rootkits to hide processes, files and activities from the authorized user of the computer system.
Organizations having computers that are exposed to the Internet may employ various security software programs (e.g., anti-virus, anti-spyware and/or anti-phishing software programs) to detect and prevent the execution of such malicious software programs. The security software programs utilize behavior and/or static analysis to detect the malicious software programs. These security software programs may monitor the computer system using pre-defined activity-based and/or code-based signatures. These security software programs may also provide various remedial measures, such as quarantining, repairing or deleting infected files.
The security software programs, however, depend upon prior knowledge of such signatures and therefore, are limited to detecting malicious software programs for which appropriate signature are available. These security software programs may fail to recognize behavior and/or software code associated with the malicious software programs. Accordingly, the security software programs are unable to detect a malicious software program for which a code-based signature or an activity-based signature is unknown.
Additionally, the security software programs maintain information (e.g., a white list) regarding legitimate websites, publishers (e.g., vendors) and/or the like. Downloading applications from legitimate websites and/or publishers would be most likely safe. For example, the user may safely download a software package from www.symantec.com because the SYMANTEC is well-known for providing legitimate software programs. There are, however, many websites and/or the publishers that are illegitimate and/or unknown. If the user downloads one or more applications from such websites and/or publishers, the execution of the one or more application may corrupt critical data and/or crash the computer system.
Therefore, there is a need in the art for a method and apparatus for detecting malicious software activity based on an Internet resource information database.